Prediction Model for Botnet-based Cyber Threats

Sun-Hee LimCyber Security-Convergence Research Laboratory

Electronics and Telecommunications Research Institute

Daejeon, Korea

Email: capsunny@etri.re.kr

Seunghwan YunCenter for Information Security Technologies

Korea University

Seoul, Korea

Email: schneeleopard@korea.ac.kr

Jong-Hyun Kimand Byung-gil Lee

Electronics and Telecommunications

Research Institute

Email: {jhk, bglee}@etri.re.kr

Abstract—Recent malicious attempts in Cyber-space are in-tended to emerge cyberwar such as stuxnet as well as to getfinancial benefits by spam, distributed-of-service(DDoS), identitytheft, and phishing through a large pool of comprised hosts,which are called zombies. Botnets are becoming one of the mostserious threats to Internet security. We consider that major pre-symptoms of cyber threats are activity and propagation of botnetand propose the prediction model of cyber threats based onbotnets.

Keywords—botnet, DDoS, security, threat, prediction

I. INTRODUCTION

Cyber threats such as Stuxnet which can occur national

risk as well as extortion or collection of personal information

from a third party for misuse, seeking of financial profit by

spreading pornographic, commercial mails to random people,

or incapacitating of service of information machine of a

competitor have unfortunately become common practice and

are performed over 60% through a botnet [1].Many botnet-based detection technologies have been ac-

tively proposed in previous studies [2][3][4].It is necessary to research on quantifying and predicting

botnet-based cyber threats in addition to their detection meth-

ods according to botnet’s characterization such as protocol,

architecture, signature, and so on.Recent early warning/forecasting techniques have been stud-

ied in Threat Management System (TMS) and Risk Man-

agement System (RMS) technologies to previously detect

cyber threats and to provide guidelines for the criteria of

security policy and countermeasures. TMS/RMS technologies

are emerging as efficient alternatives that overcome the disad-

vantage of existing security solutions. However, the TMS/RMS

focus on forecasting/warning techniques based on information

of attack situations that has been already occurred. There-

fore, it is difficult to differentiate between the TMS/RMS

technologies and existing security solution. Furthermore, it is

difficult to utilize the TMS/RMS technologies as a solution

that previously recognizes the threat situation before the actual

attack.We consider that major pre-symptoms of cyber threats are

activity and propagation of botnet and propose the prediction

model for cyber threats based on botnets in this paper.

II. RELATED WORK

A. Growth of BotnetBotnet refers to a network of a plurality of computers that

are infected by a malware code, i.e bots. A great many com-

puters, zombies are infected by bots, and remotely controlled

by a botmaster having an authority. Zombies are connected to

a command and control (C&C) server that issues commands

and control instructions through a network, so they perform

various malignant activities.

An initial stage of botnet is mainly a centralized structure

and uses an Internet Relay Chat (IRC) protocol. In the botnet

having a centralized structure, since one C&C server com-

mands and controls a plurality of zombies, it is easy to detect

and block the C&C server. Detection and defense of one C&C

server results in a big damage, because a plurality of zombies

are lost. Therefore, botnet is evolved to a distributed command

and control method, that is, peer-to-peer (P2P) botnet that

allows the all of zombies to be C&C server. In addition, the use

of HTTP, web protocol, makes it more difficult to detect the

C&C server and cope with attacks. Furthermore, the evolved

botnets use the Domain Name System (DNS) to communicate

with the C&C server and zombies because a fixed IP address

allocation of the C&C server can be easily blocked by IP

tracking. As a more advanced method for evasion of C&C

server detection, a Dynamic DNS (DDNS) service or Fast-

Flux technology maps a domain name to IP addresses and

continuously changes IP address [2].

B. Prediction of Network Threats

Intrusion Detection System (IDS) and Intrusion Protection

System (IPS) are mainly based on identification, detection,

reporting and prevention of threats and attacks. However,

attacks and intrusions are identified and blocked only after

the attacks inflict serious damage [5]. In Information security

field, a future trend outlook with an increasing number of

attacks, the risk degree of malware code and attack occur-

rence probability such as weather forecast, may influence

the decisions concerning the security provision before the

incidents happen. Forecast techniques for predicting increase

or decrease of the attacks may be obtained by using time series

analysis, the hidden Markov model or the Bayesian Inference.

However, it is impossible to find correlations of features

for forecast technologies in Information security field but in

Meteorology in reality. Furthermore, it is difficult to define

the threshold value, the commencement of attack because

forecast technology using Bayesian Inference calculates the

conditional probability based on past-observed event counts

or attack event [6]. That is to have the problem of indefinite

criteria between before and after attack happens.

340978-1-4673-4828-7/12/$31.00 ©20122 IEEE ICTC 2012

III. BOTNET-BASED PREDICTION MODEL

This paper proposes prediction model that can estimate

the degree of botnet-based threats by monitoring botnet’s

size, activity, and propagation in the whole area, unlike the

prediction model of existing research based on time series

analysis.

A. Botnet Detection

1) Monitoring Group Activities in DNS traffic: The pa-

per [2] proposed a botnet detection mechanism by monitoring

DNS traffic. Here, the characteristics of the botnet are source

IP, connection activity, and patterns, that accesses to C&C

server. In botnet, fixed clients approach to C&C server, and in

particular situations, traffic will increase drastically in a group

activity. Usually, the use of DDNS is classified as the abnormal

behavior. In contrast, patterns of the DNS traffic which the

normal users approach into the specific domain name are not

well defined. It is universal, random, and a continuous action.

2) BotSniffer and BotMiner: BotSniffer [3] is designed

mainly for detecting C&C activities with centralized servers,

protocols such as IRC and HTTP. However, the aforemen-

tioned detection approaches designed for IRC or HTTP based

botnets may become ineffective because botnets are evolving

and can be quite flexible. In order to solve this problem,

BotMiner [4] proposed a general detection framework that

is independent of botnet C&C protocol and structure, and

requires no a priori knowledge of botnets.

B. Prediction Model for the Threats Estimation

We define the prediction model for estimating the degree of

real active botnet-based threats by monitoring botnet activity,

size, and behavior.

We define C&C server Set S, Active Botnet Set B, and

Active Zombies Set ZCi , as following.

S={(Ci,Di)|Ci: C&C server and Di: detection time, i>=0}

B={(Ci,ZCi)|Ci∈S and ZCi

: Active Zombies Set, 0≤i≤|S|}ZCi

={(zij ,fij ,eij)|zij : zombie IP and fij : frequency, eij∈E, 0≤j≤Bsize}

Let Bsize be the number of zombies of all ISP domains which

access the corresponding C&C server.

Bsize=∑|S|

i=1 Csizei , Csize

i =|ZCi|, Ci∈S

Let Bfrequency be the number of signaling times between

C&C server and zombies in order to consider that C&C server

may command and control zombies frequently in order to

confirm whether zombies are alive or not, keep-alive message

before botmaster try to attack.

Cfrequencyi =

(∑|ZCi|

j=1 fij

)/|ZCi

|

Bfrequency=(∑S

j=1 C frequencyi )/|S|

Set of the ISP Domain

ISP={Di|Di is the element of the ISP Domain, i>1}

BPDi

=∑|S|

i=1 |(ZCi∈Di)|, Ci∈S, Di∈ISP

A is the type of activity such as scanning or spamming,

ω(A) >= 1 is an activity weight assigned to A. ω(A) assigns

higher values to "strong" activities (e.g., spam and exploit) and

lower values to "weak" activities (e.g., scanning and binary

download) [4].

Let ω(A) be ω(none) = 1, ω(scan) = 2,

ω(binary download) = 3, ω(spam) = 4, and ω(exploit) = 5in order to reflect other parameters in case that zombies are

inactive.

Finally, degree of threat (DT ) defines DT=∑|S|i=1 ωi(A)Csize

i (Cfrequencyi /Bfrequency) and degree of threat of

ISP Domain VISP=(BPDi

/Bsize)<1. A ISP is weaker if VISP

approaches to 1. Fig. 1 depicts DT as the volume of boxes.

Fig. 1. DT : The Diagram of Forecasting Model

IV. CONCLUSION

Botnets is one of the most serious threats and we consider

botnets as major pre-symptoms of cyber threats. We monitor

botnets, communication with C&C server and zombies, and

measure the degree of possible domain’s threats through

botnets activity.

ACKNOWLEDGMENT

This paper has been supported by the Software R&D programof KCC. [2012/10912-06002, Development of global collaborativeintegrated security control system]

REFERENCES

[1] http://en.wikipedia.org/wiki/Botnet[2] H. Choi, H. Lee, H. Lee,H. Kim, Botnet detection by monitoring group

activities in DNS traffic, in Computer and Information Technology, 2007.CIT 2007. 7th IEEE International Conference on, 2007, pp. 715-720.

[3] G. Gu, J. Zhang, W. Lee, BotSniffer: Detecting botnet command andcontrol channels in network traffic, in Proceedings of the 15th AnnualNetwork and Distributed System Security Symposium (NDSS’08), 2008.

[4] G. Gu, R. Perdisci, J. Zhang, W. Lee, BotMiner: clustering analysis ofnetwork traffic for protocol-and structure-independent botnet detection,in Proceedings of the 17th conference on Security symposium, 2008, pp.139-154.

[5] E. Pontes, A. E. Guelfi, IFS–Intrusion Forecasting System Based onCollaborative Architecture, ICDIM 2009, 217-222.

[6] C. Ishida, Y. Arakawa, I. Sasase, Forecast Techniques for PredictingIncrease and Decrease of Attacks Using Bayesian Inference, IEEEPACRIM, 2005, pp 450-453.

341